MECIT
asked on
Create a BOVPN between Watchguard X550e and XTM21
I am attempting to create a BOVPN between two watchguard devices.A X550e and XTM21.
I have followed the instructions off the WG website. I am still having issues connecting.
I can see the gateway but no tunnel.
I currently have an existing BOVPN to a vendor network and it works.
Does it matter that I used the same external IP to create the second tunnel?
I am using our secondary IPs assigned from our ISP to use on the XTM 21 for external, would that be an issue?
Any suggestions?
I have followed the instructions off the WG website. I am still having issues connecting.
I can see the gateway but no tunnel.
I currently have an existing BOVPN to a vendor network and it works.
Does it matter that I used the same external IP to create the second tunnel?
I am using our secondary IPs assigned from our ISP to use on the XTM 21 for external, would that be an issue?
Any suggestions?
ASKER
I have the logs running but tte only thing that shows up is the working BOVPN.
The is nothing with the one i just created.
I dont even see it failing.
Do any other policies affectthe BOVPN?
Is there something else I should do?
The is nothing with the one i just created.
I dont even see it failing.
Do any other policies affectthe BOVPN?
Is there something else I should do?
Have a look at link below:
http://customers.watchguard.com/articles/Article/3002?retURL=%2Fapex%2FknowledgeHome&popup=false
Please check and update.
Thank you.
http://customers.watchguard.com/articles/Article/3002?retURL=%2Fapex%2FknowledgeHome&popup=false
Please check and update.
Thank you.
as i said, you canno use a secondary ip, you need the primary.
modify and test again please
modify and test again please
ASKER
I went back and recreated the BOVPN.
I used the default settings and recreated a new shared key and I noticed that I had the incorrect IP on one of the remote gateway on Site A.
Once I meade these changes , The tunnel was created.
However I can not ping anything on either side . From site B, I can not access servers from site A.
I used the default settings and recreated a new shared key and I noticed that I had the incorrect IP on one of the remote gateway on Site A.
Once I meade these changes , The tunnel was created.
However I can not ping anything on either side . From site B, I can not access servers from site A.
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
on both watchguards I have the foloowing policies
Site A
BOVPN-Allow.IN Any From: Any To: Tunnel to Site B Any
BOVPN-Allow.Out Any From: Tunnel to Site B To:Any Any
Site B
BOVPN-Allow.IN Any From: Any To: Tunnel to Site A Any
BOVPN-Allow.Out Any From: Tunnel to Site A To:Any Any
They were created automatically.
Site A
BOVPN-Allow.IN Any From: Any To: Tunnel to Site B Any
BOVPN-Allow.Out Any From: Tunnel to Site B To:Any Any
Site B
BOVPN-Allow.IN Any From: Any To: Tunnel to Site A Any
BOVPN-Allow.Out Any From: Tunnel to Site A To:Any Any
They were created automatically.
Policies look good.
What is the IP subnet on both sides of the VPN tunnel; also on the machines at either end; WG internal IP must be default gateway. Finally, ensure that there is no personal firewall/antivirus blocking the traffic.
What is the IP subnet on both sides of the VPN tunnel; also on the machines at either end; WG internal IP must be default gateway. Finally, ensure that there is no personal firewall/antivirus blocking the traffic.
ASKER
Tunnel Routes
Site A : 172.16.100.0/24 <==> 172.16.5.0/24
Site B : 172.16.5.0/24 <==> 172.16.100.0/24
Gateways are correct on computers.
Site A : 172.16.100.0/24 <==> 172.16.5.0/24
Site B : 172.16.5.0/24 <==> 172.16.100.0/24
Gateways are correct on computers.
Is the tunnel really UP; can you post sanitized screenshots and/or logs.
Sent 0; received 0; interesting...looks like no packet is getting routed over the tunnel.
Can you post sanitized screenshot of VPN config from both the boxes; gateway, tunnel, routing policy, firewall policy from both the boxes.
Can you post sanitized screenshot of VPN config from both the boxes; gateway, tunnel, routing policy, firewall policy from both the boxes.
ASKER
Here is some logs from Site B
2011-11-04 14:04:48 iked Use IKE Policy[Hondo] Debug
2011-11-04 14:04:48 iked Ignore a re-transmitted message from 70.x.x.x:500 to 12.x.x.x cookies i=2be71757 31caf3e9 r=76ccd960 658c0994 since Phase 1 has ended Debug
2011-11-04 14:04:48 iked ike_process_pkt : ProcessData returned error (-1) Debug
2011-11-04 14:04:51 iked IkeLifeTimeout : remove the p1sa struct 183b78 (peer 70.x.x.x) in DELETING state Debug
2011-11-04 14:04:51 iked IkeDeleteIsakmpSA: try to delete Isakmp SA 0x183b78 Debug
2011-11-04 14:04:51 iked IkeDeleteIsakmpSA: (DELETING) Isakmp SA 183b78 peer 70.x.x.x Debug
2011-11-04 14:04:51 iked Use IKE Policy[Hondo] Debug
2011-11-04 14:04:51 iked IkeDeleteIsakmpSA: pcyName Hondo numP1SAActive 1 Debug
2011-11-04 14:04:51 iked IkeDeleteIsakmpSA: found it, remove IkeSA 183b78 from IkePolicy Debug
2011-11-04 14:04:51 iked IkeDeleteIsakmpSA: from pcy list, P1SANum created 11, active 1 Debug
2011-11-04 14:04:51 iked IkeDropIkeSAByAddr: delete IkeSA from peerTable idx 115 peer1 0x0ccd18e4 peer2 0x46fcebc6 Debug
2011-11-04 14:04:51 iked (Delete P1SA) rasUserCapacity 1 count 0 Debug
2011-11-04 14:04:51 iked (Delete P1SA) maxPendingP2SARequest 128 current 0 Debug
2011-11-04 14:04:51 iked ******** RECV an IKE packet at 12.x.x.x:500(socket=11 ifIndex=2) from Peer 70.x.x.x:500 ******** Debug
2011-11-04 14:04:51 iked IkeFindIsakmpPolicy: --> Debug
2011-11-04 14:04:51 iked ike_match_if_name: Match pcy [IPAD_mu] dev=anyE, pkt if[2]=eth0 Debug
2011-11-04 14:04:51 iked ike_match_if_name: Match pcy [Hondo] dev=eth0, pkt if[2]=eth0 Debug
2011-11-04 14:04:51 iked Found IKE Policy [Hondo, dev=eth0] for peer IP=70.x.x.x, numXform=1, pkt ifIndex=2 Debug
2011-11-04 14:04:51 iked IKE Policy details: 1th xform: grp=2 auth=1 encrypt=5 hash=2 lifeTime=28800 lifeKB=0 Debug
2011-11-04 14:04:51 iked IkeFindIsakmpPolicy: <-- Debug
2011-11-04 14:04:51 iked Use IKE Policy[Hondo] Debug
2011-11-04 14:04:51 iked Ignore a re-transmitted message from 70.x.x.x:500 to 12.x.x.x cookies i=2be71757 31caf3e9 r=76ccd960 658c0994 since Phase 1 has ended Debug
2011-11-04 14:04:51 iked ike_process_pkt : ProcessData returned error (-1) Debug
2011-11-04 14:04:48 iked Use IKE Policy[Hondo] Debug
2011-11-04 14:04:48 iked Ignore a re-transmitted message from 70.x.x.x:500 to 12.x.x.x cookies i=2be71757 31caf3e9 r=76ccd960 658c0994 since Phase 1 has ended Debug
2011-11-04 14:04:48 iked ike_process_pkt : ProcessData returned error (-1) Debug
2011-11-04 14:04:51 iked IkeLifeTimeout : remove the p1sa struct 183b78 (peer 70.x.x.x) in DELETING state Debug
2011-11-04 14:04:51 iked IkeDeleteIsakmpSA: try to delete Isakmp SA 0x183b78 Debug
2011-11-04 14:04:51 iked IkeDeleteIsakmpSA: (DELETING) Isakmp SA 183b78 peer 70.x.x.x Debug
2011-11-04 14:04:51 iked Use IKE Policy[Hondo] Debug
2011-11-04 14:04:51 iked IkeDeleteIsakmpSA: pcyName Hondo numP1SAActive 1 Debug
2011-11-04 14:04:51 iked IkeDeleteIsakmpSA: found it, remove IkeSA 183b78 from IkePolicy Debug
2011-11-04 14:04:51 iked IkeDeleteIsakmpSA: from pcy list, P1SANum created 11, active 1 Debug
2011-11-04 14:04:51 iked IkeDropIkeSAByAddr: delete IkeSA from peerTable idx 115 peer1 0x0ccd18e4 peer2 0x46fcebc6 Debug
2011-11-04 14:04:51 iked (Delete P1SA) rasUserCapacity 1 count 0 Debug
2011-11-04 14:04:51 iked (Delete P1SA) maxPendingP2SARequest 128 current 0 Debug
2011-11-04 14:04:51 iked ******** RECV an IKE packet at 12.x.x.x:500(socket=11 ifIndex=2) from Peer 70.x.x.x:500 ******** Debug
2011-11-04 14:04:51 iked IkeFindIsakmpPolicy: --> Debug
2011-11-04 14:04:51 iked ike_match_if_name: Match pcy [IPAD_mu] dev=anyE, pkt if[2]=eth0 Debug
2011-11-04 14:04:51 iked ike_match_if_name: Match pcy [Hondo] dev=eth0, pkt if[2]=eth0 Debug
2011-11-04 14:04:51 iked Found IKE Policy [Hondo, dev=eth0] for peer IP=70.x.x.x, numXform=1, pkt ifIndex=2 Debug
2011-11-04 14:04:51 iked IKE Policy details: 1th xform: grp=2 auth=1 encrypt=5 hash=2 lifeTime=28800 lifeKB=0 Debug
2011-11-04 14:04:51 iked IkeFindIsakmpPolicy: <-- Debug
2011-11-04 14:04:51 iked Use IKE Policy[Hondo] Debug
2011-11-04 14:04:51 iked Ignore a re-transmitted message from 70.x.x.x:500 to 12.x.x.x cookies i=2be71757 31caf3e9 r=76ccd960 658c0994 since Phase 1 has ended Debug
2011-11-04 14:04:51 iked ike_process_pkt : ProcessData returned error (-1) Debug
All settings look good.
Doesn't look like that the VPN tunnel is UP; I see retransmists ignored and phase I cookies deleted.
Can you remove all VPN settings from the box. Save to flash [box reboots]; then add VPN settings again and again save and flash and check results [one by one on each box].
Thank you.
Doesn't look like that the VPN tunnel is UP; I see retransmists ignored and phase I cookies deleted.
Can you remove all VPN settings from the box. Save to flash [box reboots]; then add VPN settings again and again save and flash and check results [one by one on each box].
Thank you.
ASKER
Tried it but same issue.
Active tunnel but no send/recieve data.
Active tunnel but no send/recieve data.
Can you try and run a traceroute to one of the sites and see if you get to the firewall or the remote firewall?
also check if there aren't any persistent routes for some reason in one of the boxes.
also check if there aren't any persistent routes for some reason in one of the boxes.
ASKER
Site A has a persistent route to 172.16.5.0
I will test the traceroute and let you know.
I will test the traceroute and let you know.
ASKER
We have two sets of IP blocks that were assisgned to use for our internet.
For testing Iam using both set in case.
Site A 70.x.x.x
Site B 12.x.x.x
Would this cause an issue?
Once in production the XTM will have a diffent ip.
When I did the tracerout, 1st hop was the internal ip of firewalls and 2nd hop was gateway off the 70.x.x.x then it times outs. This was on both devices
For testing Iam using both set in case.
Site A 70.x.x.x
Site B 12.x.x.x
Would this cause an issue?
Once in production the XTM will have a diffent ip.
When I did the tracerout, 1st hop was the internal ip of firewalls and 2nd hop was gateway off the 70.x.x.x then it times outs. This was on both devices
ASKER
my mistake Site A doses not have a persistant route to that subnet.
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
lol :)
glad u solved it )
glad u solved it )
ASKER
Thanks everyone for trying to help me resolve this.
I'm not sure what you mean, but you cannot use a secondary ip for a BOVPN.
You cn use 1 IP several times for other tunnels.
Also you can enable logging for ispsec so you can see what's going on:
in policy manager, setup-->logging-->diagnost
then save the config. Now open system manager-->under traffic monitor-->choose the debug icon(little beetle).
Then see if there are any logs